Network Interrogation

Morning all,

Looking for some advice here.

We are currently creating a new site-wide fibre network for PLCs and SCADA, as the existing Ethernet Network has been evolving since 1999...using CAT5/fibre/unmanaged switches...and few records.

I have many CAT5 cables that are unmarked, and I will need to trace what is on the device end of the cable as they disappear off under floors etc. because I will need to ensure that I capture all devices, preferably with new cables to the new managed switches in a different location to the existing ones.

Any ideas on how best to find what devices are on the cables?
I do know the expected range of IP Addresses that the devices should be on.

Advice much appreciated.

Unplug a cable and ping?

Aye, that is the way I first thought of, and it is a production environment, so get few chances to unplug cables, although that has got to happen at some point, else I will get nothing done...

Tomorrow I have a part-shutdown day, so may get some partial interrogation done, with the more obvious cables, but around 350 devices to identify over the piece may take some time...

I have used this from Fluke with good success. But I had a reasonable idea of where the cables were going at the start. I'm not sure if it will help with your situation or not.

http://www.flukenetworks.com/datacom-cabling/copper-testing/IntelliTone-Pro-Toner-and-Probe

Will.

If your only concern is finding out what is at the end of the cable, the best way would be to ping.

I use a program called "Angry IP Scanner", to mass ping networks. It's free and really easy to use.

http://angryip.org/

This won't get you a 100% of the way there but its a start. Once you know all of the IPs on the network using AngryIP you could use the GETMAC /s command to get the MAC address for each device. Once you have the MAC address you can use a website like www.macvendors.com to reverse look-up the vendor for each devices MAC address. (The first 3-bytes of a MAC address identifies the manufacturer) Unfortunately this will just tell you the vendor, the last 3 bytes of information are assigned by the manufacturer I do not know if they are model/product/etc specific.

If the network is of any meaningful size I think I would start with a network mapping tool before I started tracing cables and using ping to identify things which is going to take a long time.

Also many network devices are set not to respond to ping for security reasons.

I recommend Solar Winds Network Topology Mapper. It has a free and fully functional try before you buy 14 day trial. I put the link below but I would do that first.

You can export the map it creates to Visio and it can tell you what device connects to a given switch port with all up links, etc.

There are many other Solar Winds tools to help you manage and maintain your network also. I highly recommend them if you have the budget.

http://www.solarwinds.com/network-topology-mapper.aspx

You could try:

1. Unplug unidentified cable from switch
2. Start a wireshark capture on your laptop
3. Plug unidentified cable into laptop and view results
4. Repeat 350 times
5. ???
6. Profit!

Obviously, not everything is going to say anything useful to you, but if there is something at the other end you may get some sort of comms information, which would include an IP address. Knowing the IP address might help you work out what it is.

Thanks for the responses guys.

Will see if I can give them a try.

It is probably fair to say that I know many of the devices on the network, well, the ones that I have found so far, but as to how they are connected is another matter, as there are fibre links going various ways, then converted to CAT5, then back again. Drawings seem to show 8 port hubs, but are 24 ports hubs, there are also hubs in panels that do not appear on drawings.
All points to the network growing over the years and cables plugged in where possible.

Network mapping with solarwinds sounds an interesting one, as one of the companies quoting the new switches suggested using the solarwinds software going forward.

JohnCalderwood said:

Thanks for the responses guys.

Will see if I can give them a try.

It is probably fair to say that I know many of the devices on the network, well, the ones that I have found so far, but as to how they are connected is another matter, as there are fibre links going various ways, then converted to CAT5, then back again. Drawings seem to show 8 port hubs, but are 24 ports hubs, there are also hubs in panels that do not appear on drawings.
All points to the network growing over the years and cables plugged in where possible.

Network mapping with solarwinds sounds an interesting one, as one of the companies quoting the new switches suggested using the solarwinds software going forward.

Click to expand...

If you have HUB's anywhere I would replace those ASAP. Network mapping is the way to go an anything that has above 20 - 30 devices.

Get comfortable with MS Visio and make a drawing as you go and keep it up to date. Sadly 70% of networks you come across are like this and it takes a lot of work to get it cleaned up.

I would rid myself of the fiber to Ethernet converters also. You see those when people have hired hack jobs for networks admins that don't have a clue what they are doing.

You should have a core switch in your server room and all your outbound connection equipment should reside there also such as modems, phone lines ,etc.

From your core switch if you have to cover distances that will come close to or exceed copper lengths you should use fiber and then place distribution switches in areas with lots of devices or central locations. The fiber should connect your core switch to you distribution switch by using SFP ports so no fiber to copper converters as they are just another point of failure and a poor way to implement a link.

I would not a set a switch anywhere less than 24 ports unless it was a switch for a user for example if sally has a network printer in her office and a VOIP Phone plus her PC I would give her a 4-5 port switch in her office but everywhere else would be a 24 port or larger giving you room for growth.

If you are doing WIFI I highly recommend Ruckus and I like to use the item in the link below for good coverage in offices and conference rooms as it gives you a wired switch and it's an access point and it mounts right over the network jack on the wall.

https://www.ruckuswireless.com/products/access-points/zoneflex-indoor/zoneflex-h500

a managed switch will tell you what MAC addresses are on which ports. If you catalog the mac addresses of all the end devices and look up the MAC tables on the managed switch you will know which port of the switch the devices are connected to.

V0N_hydro said:

a managed switch will tell you what MAC addresses are on which ports. If you catalog the mac addresses of all the end devices and look up the MAC tables on the managed switch you will know which port of the switch the devices are connected to.

Click to expand...

Read the first post....they are using unmanaged switches. Otherwise this is fairly easy by viewing the MAC table.

OG

Operaghost said:

Read the first post....they are using unmanaged switches. Otherwise this is fairly easy by viewing the MAC table.

OG

Click to expand...

This applies to the proposed network manager software as well - it won't really map anything without managed infrastructure to indicate which device is connected to which port, usually done through the mac address table and/or LLDP, CDP or variants.

If the plan is to upgrade to managed switches anyway (many ask is it worth the extra money to go managed vs. unmanaged - this very problem is an argument for...) I would drop in a managed switch now to gain access to this information immediately, then start the mapping.

Also the GETMAC command doesn't seem effective here at all. For me, it gives me the MAC address of my interfaces on Windows 7. I think the intent is to get the MAC addresses of all of the devices, so I would think


on a Windows host would be the way to go, IF the device was recently accessed by IP, such as after some type of scan. Note it only shows up here if the devices are on the same subnet. If a router is crossed, they won't show.

A Linux command could be


which sends broadcast ARP requests and populates the response. Any which way you scan, whether through angryip, nmap/zenmap, or with a package, scan SLOW. Embedded deices often cannot handle the load of a scanner. Newer ones are better, but doing this can crash your devices in some cases (they may crash anyway, depending on how they are accessed!) so plan for off hours scanning.

In the end, managed infrastructure with a network manager software package (there are many free ones too, with various levels of functionality and bugs) would be a great addition. I can't live without the network view - every problem I check the interface graphs first to rule things in or out. Invaluable.

Everything is unmanaged at the moment, and our plan is to replace them all with managed switches, so that part is covered.

I got the free download from SolarWinds, and since then I had 2 emails promising me big discounts if I bought before the 29th....
They also promised technical support, so I pinged a couple of questions at them yesterday - no response yet, so suspect they are automatic emails sent in response to the download form on the website.

As usual, other issues have overtaken me...6 hours yesterday on a new machine changing out parts to try to get it working, only to discover it was a network cabling issue on the IT side, even though the CAT6 cables tested out OK with 2 testers and laptops could ping through to the server - the device itself (win CE) could not deal with it though....

JohnCalderwood said:

As usual, other issues have overtaken me...6 hours yesterday on a new machine changing out parts to try to get it working, only to discover it was a network cabling issue on the IT side, even though the CAT6 cables tested out OK with 2 testers and laptops could ping through to the server - the device itself (win CE) could not deal with it though....

Click to expand...

A primary reason why the manufacturing network should be separate from the corporate network both in logical and physical forms. Connections from the Manufacturing LAN to the corporate LAN should be made to share only needed data and access and done in a controlled method that will insure that an issue on one network does not hinder the core operation of the other.

Many companies are networking their equipment using the physical corporate LAN and doing a Logical separation for the Manufacturing LAN and this is a huge mistake in almost every case.